A vulnerability has been discovered within the widely used Bash software included on Linux and Mac operating systems, raising concerns about an exploit that some experts say stands to be more damaging than the Heartbleed bug identified earlier this year.

To remedy the shellshock vulnerability on an old Debian Lenny server, I had to rebuild bash from source.

Here’s a recipe that worked for me on Debian 5 (lenny):

#first find out the version you have so you know what to get for the patches and source files
dpkg-query -l|grep bash
ii bash 4.1-3 The GNU Bourne Again SHell
#do this in the /usr/src dir
cd /usr/src
wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
tar zxvf bash-4.1.tar.gz
cd bash-4.1
# fetch all patches, including latest ones that patches CVE-2014-6271
for i in $(seq -f "%03g" 0 12); do
wget -nv http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-$i
patch -p0 < bash41-$i
done
# configure,compile and install bash (this will install bash into /usr/local/bin/bash)
./configure && make
make install
# make a symlink from /bin/bash to the new binary
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash
# check that you're not vulnerable anymore wiith the output of the following
# it should not output vulnerable word anymore
env x='() { :;}; echo vulnerable' bash -c echo
#you can Delete the old one thats a problem
rm /bin/bash.old